Professional Documents
Culture Documents
E - Banking
Nikola Skundric nikolas@galeb.etf.bg.ac.yu Prof. Dr. Veljko Milutinovic vm@etf.bg.ac.yu Milos Kovacevic milos@grf.bg.ac.yu Nikola Klem klem@grf.bg.ac.yu
University of Belgrade
1 / 99
Outline
I.
Introduction to e-Banking
What is an e-Bank and why to do e-Banking Some facts about e-Banking
II.
Security issues
Overview of the security problems Cryptography basics Digital Signatures Digital Certificates Secure Sockets Layer (SSL)
continued...
2 / 99
Outline
...continued
III.
IV.
Conclusion
3 / 99
Part I
Introduction to E - Banking
4 / 99
Introduction
Banking consumers today have more options then ever before:
brick and mortar institution (has a building and personal service representatives) brick and click institution (physical structure + Internet bank services) virtual bank (no public building exists only online)
5 / 99
What Is an E-Bank?
Traditional banking business assumes:
Customer desk at banks building Office hours from 8.00 am to 7.00 pm
Customers have:
Their job during the day Family or other activities after the job
Collision!
What Is an E-Bank?
Logical answer is to use e-channels:
Internet WAP based mobile network Automated telephone ATM network SMS and FAX messaging Multipurpose information kiosks
E-channels enable financial transactions from anywhere and allow non-stop working time.
7 / 99
What Is an E-Bank?
E-Bank is transforming banking business into e-Business through utilizing e-Channels Customers requests are:
Non-stop working time Using services from anywhere
E-channels provide:
Working time 0 - 24h Great flexibility
Perfect match!
8 / 99
9 / 99
10 / 99
Internet Banking
In this tutorial we shall focus on Internet Banking. No need explaining why Internet is so important e-channel:
670 million users worldwide (end of 2001) Almost 1.2 billion users in 2005 (forecasts, worldwide) 54% of U.S. population (143 mil.) is using it (February 2002) Every month 2 million users are going online only in USA
11 / 99
Many consumers also like the idea of not waiting in line to do their banking, and paying their bills without shuffling papers and buying stamps.
12 / 99
Some Facts
More then 12 million Internet bank consumers in Europe In Germany 51% of the online population use online banking services (average for Europe is 10%; expected to be 15% by the end of 2003)
Structural change in the new economy (USA) More then $2B investments in 2005 planned.
13 / 99
nly
36%
41%
Today about 1,100 U.S. banks, large and small, provide full-fledged transactional banking on-line In next two years additional 1,200 transactional on-line banks are expected By 2005, the number of such banks should increase to more than 3,000
15 / 99
E-Banking in Serbia
Mali procenat korisnika Prili no veliko interesovanje
16 / 99
E-Banking in Serbia
Elektronski promet Delta banke: 6.5 milijardi dinara u prva tri meseca 25% naloga u Raiffeisen banci sti u elektronskim putem U HVB banci svaki drugi nalog je elektronski 35% prometa Nacionalne tedionice obavlja se kroz elektronske usluge 30% klijenata Atlas banke koristi elektronsko bankarstvo
Izvor: Mikro, jun 2003. 17 / 99
Internet Banking
Using Internet as an e-Channel makes financial services available to wide population WWW service In this tutorial we shall focus on the Internet banking
18 / 99
Part II
Security Issues
19 / 99
Security problems
Online banking relies on a networked environment. Network access can be performed through a combination of devices (PC, telephone, interactive TV equipment, card devices with embedded computer chips, ...) Connections are completed primarily through telephone lines, cable systems, in some instances even wireless tech. All these systems improve efficiency, speed and access but also present some privacy and security issues. Worth noting: Internal attacks are potentially the most damaging!
20 / 99
Security Problems
Internet is a public network and open system where the identity of the communicating partners is not easy to define. Communication path is non-physical and may include any number of eavesdropping and active interference possibilities. Internet communication is much like anonymous postcards, which are answered by anonymous recipients. Although open for everyone to read, and even write in them, they must carry messages between specific endpoints in a secure and private way.
21 / 99
Security Problems
How can I be certain that my personal information is not altered by online eavesdroppers when they enter into a secure transaction on the Web?
Spoofing
How can can Icertain that How I be reassure my customers account customers who come to number information is not my site that they are doing businessonline accessible to with me, eavesdroppers whenup to not with a fake set they steal their a secure enter into credit card transaction on the Web? numbers?
PROBLEMS
Data Alteration
Eavesdropping
22 / 99
Privacy no eavesdropping
When URL begins with https it identifies the site as secure (meaning that it encrypts or scrambles transmitted information)
24 / 99
Make sure your transmissions are encrypted before doing any online transactions or sending personal information. E-mail is usually not secure. Do not send sensitive data via e-mail (unless you know it is encrypted). Change all passwords and PIN codes received via e-mail that is not encrypted. Make sure you are on the right website.
continued...
25 / 99
Make sure that the financial institution is properly insured. Be password smart (use mix of letters and numbers; change pw regularly; keep your pw and PIN codes to yourself; avoid easy to guess pw like first names, birthdays, anniversaries, social security numbers...) Keep good records. Save information about banking transactions. Check bank, debit and credit card statements thoroughly every month. Look for any errors or discrepancies.
continued...
26 / 99
Report errors, problems or complaints promptly Keep virus protection software up-to-date. Back-up key files regularly. Exit the banking site immediately after completing your banking. Do not have other browser windows open at the same time you are banking online. Do not disclose personal information such as credit card and Social Security numbers unless you know whom you are dealing with, why they want this information and how they plan to use it.
27 / 99
Cryptography Basics
Cryptography provides privacy
ENCRYPTION ALG.
ENCRYPTED MESSAGE
(CYPHERTEXT)
DECRYPTION ALG.
MESSAGE
(PLAINTEXT)
MESSAGE
(PLAINTEXT)
SENDER
RECEIVER
KEYS
Asymmetric approach
29 / 99
Symmetric Approach
Both sides use the same key for encryption and decryption
SYMMETRIC KEY
ENCRYPTED MESSAGE
(CYPHERTEXT)
MESSAGE
(PLAINTEXT)
SENDER
RECEIVER
Convenient for bulk data encryption (computationally faster then other methods) Problem: key distribution Examples: DES (Digital Encryption Standard, IBM & National Bureau of Standards, 1977, braking record 22h15m), 3DES (enhanced DES), AES (Joan Daemen & Vincent Rijmen, 2000)
30 / 99
Asymmetric Approach
Sender uses public key for encryption, receiver uses private key for decryption
ENCRYPTED MESSAGE
(CYPHERTEXT)
PUBLIC KEY
MESSAGE
(PLAINTEXT)
SENDER
RECEIVER
Convenient for short data encryption (computationally slower then other methods) Problem: binding the public key and its owner. Examples: RSA (Ronald Rivest, Adi Shamir & Leonard Adleman, 1977), basics given by Whitfield Diffie & Martin Hellman (1976),
31 / 99
Hybrid Approach
Uses asymmetric approach for passing the symmetric key Uses symmetric approach for data encryption
Digital Signatures
Cryptography provides privacy, but what about security? As mentioned before, from a security point of view, we have to achieve three important things:
Was the Digital Signatures Was the message Prevention of a message sent by changedof a denial after the declared previous act. it was sent? sender?
Origin Authentication
Data-integrity Authentication
Non-repudiation
Digital Signatures
Process of generation of Digital Signatures:
Creating message digest using one way hashing algorithm (MD5 from RSA, SHA-1 from NIST) Encrypting digest with private key
34 / 99
Digital Signatures
Authentication of the message using Digital Signature:
Sender Receiver
HA Message HA
Digest Digest
Msg* DS*
Digest
Digital Signatures
Non-repudiation: a service that prevents the denial of a previous act.
A. Menezes Handbook of Applied Cryptography
Non-repudiation service provides proof of the integrity and origin of data both in an unforgeable relationship which can be verifiable by any third party at any time.
36 / 99
Digital Certificates
Man-in-the-middle attack (gaining knowledge over controlled data)
These problems do not disappear Problems caused by a false certification with encryption or even a secure protocol or no certification mechanism
Certification
Certificates provide strong binding between the public-key and some attribute (name or identity). Certificates introduce tamperproof attributes used to help someone receiving a message decide whether the message, the key and the senders name are what they appear to be...
without asking the sender. Absolute certification methods are logically impossible because a certificate cannot certify itself.
39 / 99
Digital Certificates
An electronic file that uniquely identifies communication entities on the Internet. Associate the name of an entity with its public key. Issued and signed by Certification Authority.
Everybody trusts CA, and CA is responsible for entity name public key binding.
40 / 99
De facto standard
The Directory is implemented by CA, which issues certificates to subscribers (CA clients) in order for such certificates to be verifiable by users (the public in general).
41 / 99
Certification Authority
CA is a general designation for any entity that controls the authentication services and the management of certificates (also called issuer)
CA
In general independent, even in the same country
Private Public
e.g. a bank a company for private needs
Personal
you, me
Commercial
VeriSign Thawte
42 / 99
44 / 99
The certificate holders unique name (DN) Version of the certificate format Certificate serial number Signature algorithm identifier (for certificate issuers signature) Certificate issuers name (the CA) Validity period (start/expiration dates/times) Extensions Certificate is signed by the CA with its private key
45 / 99
46 / 99
The CAs PK may be the target of an unfortunately are exceptions. extensiveTop-level CAs the most probable targets decryption attack. CAs that may be It may not be practical for them to change keys frequently That is why CAs should use very long keys level. are the ones that offer the smallest protection because their keys may be written into software (such as browser) and change keys in this case, is an inverse function of worth. Protection, regularly.
used by a large number of verifiers
47 / 99
www.verisign.com
how to apply for DC, security related stuff
www.thawte.com
how to apply for DC, security related stuff
48 / 99
51 / 99
Server
Decrypts data with SSK Calculates new MAC and verifies the old one Reassembles the msg.
Failures to authenticate, decrypt or otherwise get correct answers result in a close of connection.
52 / 99
53 / 99
Server
OK ?
SERVER-VERIFY message SERVER-HELLO message + + Encrypted SSK Responding challenge (encrypt. with SWK) Connection ID
Decrypts SSK with own From now CLIENT-MASTER-KEY message (encrypt. SK and sends ack. with SPK) use SSK! CLIENT-FINISHED message (encrypt. with CWK)
54 / 99
3.
55 / 99
SSL Keys
There are number of keys used over the course of a conversation:
Servers public key (SPK) Master key (SSK) randomly generated Client-read-key also called Server-write-key (CRK/SWK) Client-write-key also called Server-read-key (CWK/SRK)
CWK & CRK are derived via a secure hash from the master key, the challenge, and the connection ID. Only master key is sent encrypted (with SPK) The master key is reused across sessions, while the read- & write- keys are generated anew for each session.
56 / 99
58 / 99
Part III
Web server
In-house Architecture
CustomerLink Server (On Site)
(CustomerLink Primer)
In-house Web Server (On Site) Security Firewall (On Site) Router (On Site)
61 / 99
Out-of-house Architecture
ASP (Equifax) Bank site
Web server CustomerLink server
Core server
presentation logic
63 / 99
Application logic
64 / 99
Presentation Logic
htt l htt
we thin client
er er
Pre entation logic form HTML and interact with a lication tier
Application Logic
BOB BOB Business objects, can be on a single or multiple app. servers Written in C/C++, Java(EJB), COBOL CORBA, DCOM, RMI CORBA = Common Object Request Broker Architecture DCOM = Distributed Component Object Model RMI = Remote Method Invocation SQL through JDBC/ODBC 1 Req. for service (J2J object communication) to data tier BOB 2 4 Data response 3 Required data
66 / 99
BOB
App. Server
67 / 99
ASP offers:
Disadvantages:
Every workstation needs Internet access Broad bandwidth necessary Doubtful data security on the Internet Not all applications have Internet compatible surfaces yet Loss of companys independence
69 / 99
Bank size?
big
SCS
ASP
CHP
WPA WPH IS
CDP
WPD
Bill Payment:
CheckFree, www.checkfree.com
Card Payment:
RS2 Software Group, www.rs2group.com, BankWorks
Education of Staff
Studies show that education of banks staff in using the Internet channel is often incomplete. Staff should provide answers to FAQ about using the Internet channel to their customers.
You do it but you dont think (Internet Banking) Education process because everyone does it. canisbe done through: it important to you. Courses after the job By stimulating staff to use Internet Banking from home (participating in PC purchase, obtaining discounts from local ISP)
77 / 99
Permanent Marketing
We have a good solution for Internet banking but number of online users is very low after initial setup. Whats wrong? The answer is: We need a permanent marketing campaign!
Marketing Cycles
Customers who were not ready for new service at the moment of initial introduction will be customers that became to involveready after few months. ready Key of success enthusiasm, especially among the management
78 / 99
in the meanwhile
How To Do Marketing
Spreading enthusiasm among staff Utilizing common media for advertising (professional agencies). Organizing education about Internet technologies and new banking services among customers. Agreements with local ISPs and resellers of PC equipment.
79 / 99
Education of Customers
Studies show that: 7% of bank users are technically advanced 25% is open to new banking services but they lack technical experience
80 / 99
Education of Customers
How to attract more online customers?
Make agreements with local ISP to give discounts for online bank customers
Organize periodical meetings where online customers can exchange information about Internet banking services and e-Business in general
81 / 99
Be Informed!
To be successful in any business (including banking services) you constantly need information about:
Competition (what they offer, what are the complaints of their customers) Potential customers
Among other ways for obtaining information, it is useful to monitor the Web and Web activity using search engines.
83 / 99
Quarterly and annual financial report Financial history SEC filings Stock quotas Press releases Information request forms Other shareholder information
85 / 99
Subject directories
Search Engines
Meta crawlers
86 / 99
Subject Directories
Links to Web sites are collected according to topics they treat Links are collected by humans who evaluate them Useful when searching for some topic in general Not effective when trying to find something specific Examples: Yahoo!, Lycos, LookSmart, Excite
87 / 99
Search Engines
They try to collect as many as possible pages from the Web and store them locally for later keyword search. Pages are collected by using crawlers (SW components). Good for search on specific query Result pages are sorted by relevancy Results can be out of date (currency problem) Examples: Google, AltaVista, Fast, Northern Light, ...
88 / 99
Search Engine
Crawler
List of pages
89 / 99
Meta-crawlers
They utilize other search engines concurrently by sending users request to them. Good for queries about exotic topics. Queries have to be simple because of different formats among search engines. Examples: MetaCrawler, Dogpile, HotBot,
90 / 99
Focused Crawling
Focused crawlers visit only topic-specific pages.
Ill go only this way
91 / 99
http://find.pcworld.com/11060
Leaders are: Google www.google.com Fast www.alltheweb.com Yahoo www.yahoo.com Lycos www.lycos.com Northern Light www.northernlight.com
92 / 99
You can also try with public databases not accessible to search engines.
Lycos Searchable Databases Directory http://dir.lycos.com/reference/searchable_databases
93 / 99
Part IV
Conclusion
95 / 99
Conclusion
In this tutorial on e-Banking we covered many of its aspects:
You learned what an e-Bank is, and what the benefits of e-Banking are You familiarized yourself with the structure of the e-Bank You learned how to implement your own Internet channel and how to afterwards search for financial information on the Web in order to improve your business And you have also learned what possible security problems can occur and how to fight those problems
96 / 99
Conclusion in 40 Words
Every bank should implement its Internet channel (reduced cost of transaction, global connectivity).
Small and mid sized banks could benefit from using Application Service Providers for different kind of service (and choosing the good ASP is the most important step).
97 / 99
Final Words
Some Internet Myths
(from European ECM momentum, Maria Luisa Rodriguez, San Jose State University)
Myth:
The Internet requires little upfront investment. The Internet will drive transactions from other channels. The Internet is borderless.
Fact:
You get what you pay for.
Channel behavior is additive (channel adoption has always been additive). Brand, marketing and consumer behavior is local.
98 / 99
~ The End ~
Authors:
Nikola Skundric nikolas@galeb.etf.bg.ac.yu Prof. Dr. Veljko Milutinovic vm@etf.bg.ac.yu Milos Kovacevic milos@grf.bg.ac.yu Nikola Klem klem@grf.bg.ac.yu
99 / 99